Re: z/vm security advise requested

Wed, 26 Sep 2007 12:42:03 -0700 

Lionel,
If RACF is broken and you are still IPL'd off of the CP Module with RACF in it then the only 2 users you can log on to are RACFVM and/or RACMAINT. Unless RACF for VM has changed in the last few years. 


I would suggest Dave Jones's idea of keeping a NON-RACF CP module 
available to IPL from.


good luck

Bill Munson
VM System Programmer
Office of Information Technology
State of New Jersey
(609) 984-4065

President MVMUA
http://www.marist.edu/~mvmua



Lionel B. Dyck wrote:



Operator was an exception just incase RACF were down and we needed to 
use it to recover.  If this is not required then I'm very open to making 
it conform.


Thanks

------------------------------------------------------------------------
*Lionel B. Dyck, Consultant/Specialist *
Enterprise Platform Services, Mainframe Engineering

KP-IT Enterprise Engineering, Client and Platform Engineering Services 
(CAPES)
925-926-5332 (8-473-5332) | E-Mail: [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>

AIM: lbdyck *|* Yahoo IM: lbdyck /

Kaiser Service Credo: "Our cause is health. Our passion is service. 
Were here to make lives better. /

*
Never attribute to malice what can be caused by miscommunication. *
*

NOTICE TO RECIPIENT: *If you are not the intended recipient of this 
e-mail, you are prohibited from sharing, copying, or otherwise using or 
disclosing its contents. If you have received this e-mail in error, 
please notify the sender immediately by reply e-mail and permanently 
delete this e-mail and any attachments without reading, forwarding or 
saving them. Thank you.



From:   "Ponte, Doug" <[EMAIL PROTECTED]>
To:     IBMVM@LISTSERV.UARK.EDU
Date:   09/26/2007 08:10 AM
Subject:        Re: z/vm security advise requested


------------------------------------------------------------------------



Agreed. Although, why is OPERATOR proposed as an exception?




The contents of this e-mail are intended for the named addressee only. 
It contains information that may be confidential. Unless you are the 
named addressee or an authorized designee, you may not copy or use it, 
or disclose it to anyone else. If you received it in error please notify 
us immediately and then destroy it.



From: The IBM z/VM Operating System on behalf of Huegel, Thomas
Sent: Wed 26-Sep-07 10:35
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: z/vm security advise requested



I think once you have RACF installed all of the other sevurity problems 
you describe are solved.


                -----Original Message-----

                From: The IBM z/VM Operating System 
[mailto:[EMAIL PROTECTED] Behalf Of Lionel B. Dyck

                Sent: Wednesday, September 26, 2007 9:30 AM
                To: IBMVM@LISTSERV.UARK.EDU
                Subject: z/vm security advise requested

               
               

                To keep our auditors happy (assuming that is possible) 
to secure our z/vm (5.3) environment I am planning on doing the 
following. Note that our environment is purely in support of linux 
virtualized servers and the only cms users are the handful of sysprogs 
supporting z/vm.
               


                1.                 installing both racf/vm and dirmaint

                2.                 all linux virtual server guests will 
be defined with LBYONLY and a LOGONBY for the sysprogs
                3.                 all system machines with the 
exception of Operator will also be defined with LBYONLY and LOGONBY for 
the sysprogs



                Does anyone see any issues/exposures with this approach.

               
                Thanks
               

               
________________________________


                Lionel B. Dyck, Consultant/Specialist
                Enterprise Platform Services, Mainframe Engineering

                KP-IT Enterprise Engineering, Client and Platform 
Engineering Services (CAPES)
                925-926-5332 (8-473-5332) | E-Mail: [EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>  
                AIM: lbdyck | Yahoo IM: lbdyck
                Kaiser Service Credo: "Our cause is health. Our passion 
is service. We're here to make lives better."
               
                "Never attribute to malice what can be caused by 
miscommunication."
               
                NOTICE TO RECIPIENT: If you are not the intended 
recipient of this e-mail, you are prohibited from sharing, copying, or 
otherwise using or disclosing its contents. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail 
and permanently delete this e-mail and any attachments without reading, 
forwarding or saving them. Thank you.



________________________________


<< ella for Spam Control >> has removed 13021 VSE-List messages and set 
aside 12385 VM-List for me
You can use it too - and it's FREE!  www.ellaforspam.com 
<http://www.ellaforspam.com/>
























					Reply via email to